Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Assigning Roles from AD Groups

This thread has been viewed 3 times

  • 1.  Assigning Roles from AD Groups

    Posted May 03, 2019 08:16 AM

    I assign a number of Roles to a userid based upon the AD group it is a member of. Got this working for a number of Roles but one refuses to be assigned, even though I know the userid is a member of the group.

     

    1). Authentication of  userid performed by a service  that has an authentication source with a  base DN of

     

    ou=users,ou=uoy,dc=its,dc=york,dc=ac,dc=uk

    Search scope of one

     

    2).  Service authorisation also  performed and another authorization source with a slightly different base DN has been added to the above one.

     

    ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk

    Search scope of one

     

     

    In the AD tree, amongst other things at the ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk level I’ve got

     

    cn=testclearpass - a test AD group with my userid in it

     

    and

     

    cn=g0790stf - an  AD group with all the network team userids in it

     

     

    I have 2 roles defined

    UoY Network Team and UoY DPS Staff

     

    UoY Network Team  is assigned via the statement

     

    (Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=g0790stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk

    OR (Authentication:Username  EQUALS_IGNORE_CASE  jh1802

    OR (Authentication:Full-Username  CONTAINS  Alex.Sharaz

    OR (Authentication:Full-Username  CONTAINS  ms1691

    OR (Authentication:Full-Username  CONTAINS  rf1

     

    UoY DPS Staff is assigned via the statement

     

    (Authentication:Username  EQUALS_IGNORE_CASE  rjs502

    OR (Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=testclearpass,ou=Inst,ou=Groups,ou=UoY,dc=its,dc=york,dc=ac,dc=uk)

     

    Other statements include

     

    (Authorization:UoY AD Authentication:memberOf  EQUALS  CN=g0087stf,OU=Inst,OU=Groups,OU=UoY,DC=its,DC=york,DC=ac,DC=uk)

     

    To map role “IT Services Staff”

     

     

    (Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=g0000stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk)

     

    To map role “Staff”

     

    Authorization:UoY AD Authentication:AccountStatus  NOT_EQUALS  66050

    AND (Authorization:UoY AD Authentication:AccountStatus  EXISTS   )

     

    To check if the AD Account is. enabled

     

    Running a “Role Mapping” policy simulation using a role generation policy that has the above  statements in it gives me a result that is  as shown below

     

    “IT Services Staff, Staff, UnQuarantined, UoY AD Account Enabled, UoY Network Team, UoY User, [User Authenticated]”

     

    So all of the role assignments work except for the “UoY DPS Staff” one

     

    I watched a colleague put create the group, set the same access rights as other groups and add my userid to it

     

    How can I debug what’s going on ? 

     

    I know I’m mixing and matching upper/lower case and use of contains or equals but the other statements work

    Rgds

    Alex

     



  • 2.  RE: Assigning Roles from AD Groups

    Posted May 03, 2019 02:06 PM
    If I read correctly you are using two different authentication sources to the same AD, why? This will result in two ldap queries.

    Next to this, you can use the group parameter instead of the memberof. Groups will return only the group name and not the full dn.

    In the access tracker you can see all the groups fetched from the AD. Have you checked if the group you use is listed?

    By default ClearPass will cache ldap data for 10 hours. So it can take up to 10 hours before ClearPass assign the correct role or you should clear the cache.

    Btw, not every account has the 66050 if it is disabled